Firewall wireless access points on a business LAN



  • Hello…I am interested in using pfSense as a firewall between my wireless access points at a location and the LAN.  Right now, all wireless access points at a location go straight into the rest of the LAN.

    I would like to consolidate the WAPs using a switch and be able to run this connection through pfSense before hitting the local LAN.

    I installed pfSense on a regular PC with 2 NICs.  How should I configure the interfaces and pfSense in general to work in this fashion?

    I'm just looking to add another layer of protection between the WAPs and the LAN.

    Thanks



  • You'll need either a third NIC, or to be able to use VLANs.



  • @Cry:

    You'll need either a third NIC, or to be able to use VLANs.

    Unless he means this firewall will only be for the WAPs and is not the Internet firewall. In that case, maybe a bridged configuration?



  • Yes, this firewall is only for the WAPs.  Whatever device successfully connects to the WAP, I want to be able to restrict the traffic to certain devices and ports that can pass through to the LAN.

    Basically, the same as taking a PC from the LAN, plugging it directly into the firewall, and allowing only certain traffic through to the LAN.



  • In that case there isn't anything special to do.  Simply create the firewall rules to allow what you want and leave the default deny rule to block everything else.



  • ok…so I guess the WAP would be on the 'WAN' interface?  Would the default gateway be the 'LAN' card?

    Also, I don't see a way to set a default gateway on the LAN interface.  Is this possible?

    So basically this firewall is meant to be an Internet firewall and what I'm trying to do is not really what the firewall was designed for?



  • @helmsman:

    ok…so I guess the WAP would be on the 'WAN' interface?  Would the default gateway be the 'LAN' card?

    Also, I don't see a way to set a default gateway on the LAN interface.  Is this possible?

    So basically this firewall is meant to be an Internet firewall and what I'm trying to do is not really what the firewall was designed for?

    I would use the pfSense LAN interface to connect to the WAP(s) and connect the pfSense WAN interface to your LAN. I would use pfSense as the DHCP server for the wireless clients, then pfSense will automatically tell your wireless clients what the default gateway is (pfSense).

    The default firewall rules in pfSense essentially allow any access from the pfSense LAN side and block (unsolicited) access from the pfSense WAN side so you will need to add firewall rules to both pfSense interfaces to give the access controls you are looking for. (The firewall rules apply to incoming packets on the corresponding interface.) No internet required! But if you have internet access and you want want wireless clients to access the internet that can also be controlled by the firewall rules.

    If you have a DHCP server on your LAN you could have the pfSense WAN interface get its address from the DHCP server OR you could assign it as a static address. In the latter case, if you also want to allow some internet access you would have to configure a gateway on the WAN interface.


Locked